From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 04:29:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BA2106564A; Wed, 12 Oct 2011 04:29:15 +0000 (UTC) (envelope-from quakelee@geekcn.org) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 9867E8FC12; Wed, 12 Oct 2011 04:29:15 +0000 (UTC) Received: from quakelee-work (unknown [202.108.14.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 8220C187C8; Tue, 11 Oct 2011 21:29:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1318393755; bh=Tuv6Q8VvBSrWc9fCW7JD5ajS3ShHELc5Zj96BA0U8BQ=; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version: Content-Transfer-Encoding:From:Date:Message-ID; b=UWqNPjmM9FxBCD4sC04IhIFBhiiLnotQkfpmh3gG5qyg5oPzZtMF2YopuXMheIiSA 2HLYkIJJFaSdkQc3+QJNM5XL5JeSXExPavDpK/7ZDL1xfZMFBMI+7W3IBTNz6ctzBa DytHUkoJTEJmOuyLdIMF/VKQ3kB6II7+m0Q5/p4o= Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes In-Reply-To: <679126918.20110922121706@serebryakov.spb.ru> Organization: GeekCN References: <679126918.20110922121706@serebryakov.spb.ru> To: freebsd-security@freebsd.org, "Lev Serebryakov" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "Chao Shin" Date: Wed, 12 Oct 2011 12:29:05 +0800 Message-ID: User-Agent: Opera Mail/11.51 (Win32) Cc: Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 04:29:15 -0000 > Hello, Freebsd-security. > > I have chicken-adn-egg problem with wheel group and su utility when > all users but root are stored in LDAP. > > wheel group should be in /etc/group to allow basic system services > to start before LDAP is available. > > But when "wheel" is in /etc/group with only "root" member (as all > other members are in LDAP), system never takes "wheel" members from > LDAP (because /etc/group has priority) and "su" doesn't work! > > What is proper way to resolve this problem? > I don't have system to test this now, but you can try below config in your nsswitch.conf group: files [success=return notfound=continue] ldap passwd: files [success=return notfound=continue] ldap I didn't meet this problem in my last company's environment -- The Power to Serve